From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id eLh2Oto9X2BRYwAAgWs5BA (envelope-from ) for ; Sat, 27 Mar 2021 15:14:50 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id aGRjNNo9X2BCTwAA1q6Kng (envelope-from ) for ; Sat, 27 Mar 2021 14:14:50 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 708081CFBB for ; Sat, 27 Mar 2021 15:14:50 +0100 (CET) Received: from localhost ([::1]:55692 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lQ9iD-0004kw-Ki for larch@yhetil.org; Sat, 27 Mar 2021 10:14:49 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60174) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lQ9hs-0004jm-QC for guix-devel@gnu.org; Sat, 27 Mar 2021 10:14:29 -0400 Received: from mail.zaclys.net ([178.33.93.72]:37549) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lQ9hp-0007ku-WF for guix-devel@gnu.org; Sat, 27 Mar 2021 10:14:28 -0400 Received: from [192.168.0.44] (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12REENP7002149 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 27 Mar 2021 15:14:23 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12REENP7002149 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616854463; bh=111cjO6nZ/3An+9BPvUpY6wQbmFzl4JpR+1uZ03nCbo=; h=Subject:From:To:Date:In-Reply-To:References:From; b=a6aGyHGpy5n4CJITIPeb9FRzpOFtHrzlTq9fih+w8rYJ4JB6PckUchMLsUjpYfD/t Gv3Z8zgljh9wO7cTv6uOytDkOGu3bhhB+Xbx4vP0CVMO7PHEYm9xTfn/qIJFNFWajD m9LMuZu8+soHTmnH3S8aetytbjVyUG9rMKdF5fDw= Message-ID: <8cabaa0f7782bad5f07ce08d22f19b821cffc031.camel@zaclys.net> Subject: Re: Security patching and the branching workflow: a new security-updates branch From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: zimoun , guix-devel@gnu.org Date: Sat, 27 Mar 2021 15:14:18 +0100 In-Reply-To: <86k0ps8ztg.fsf@gmail.com> References: <12b4006a4a28c9678c523ab129945850b4adf37f.camel@zaclys.net> <86o8f493vp.fsf@gmail.com> <86k0ps8ztg.fsf@gmail.com> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-9E0gexDG0diFJsOE/1ZI" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616854490; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=111cjO6nZ/3An+9BPvUpY6wQbmFzl4JpR+1uZ03nCbo=; b=l5p96PI460z0xs77+5PQzqzqowykzeUMZYQrz9xt77Nm+rqKBv9BtZQH4Ul37oYbiQe/Gb CxRG6OyYRhkeY/cnieWQh48+HzGuieV9mpiGMaWSTROgs8Bp5EzyeKd0T14lxM4DnoAuCC xxOr/53XVRKIlOXALnSwqDX6gXKK10ZWdz9Y7SAQ0u2KDCciFDUtWgBTk5mXXAJwihikXl 2tORODcMfl2s5BhVk9hvZ1UL2y1amrmN+iBHe3cHsRpxM9CWdGm/sgnZHTQ6+Iex72MJGk qmagxfSSQcS28TtlO4LQsHjOyzb0VBFsGeGAimiaTjr2bxzwGvRFHNgjH8ywrg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616854490; a=rsa-sha256; cv=none; b=bnPOqrHzJaFnWUJZo3ewvNIj1B9tYiGya4lAs/hnVjAcZrWrC+hWbPoDk+vrpbWbx1YYO2 tUGu+FSxi8Pv6Xq+xH0mlYfFdAIUoBhWGd2KLMprS2Yxhrx3zHmaI/pQas8skBoS0XcMPI uWKbfRPDZP6MSLR5S5x+UJnM2Pi9LjDOHYEraiFQWf4gOCRKeJmYx/vQ0WNvl7oClOivL+ Em+OcfAv9iRm3o2pIkrkMENxYxMZIvBtDl0M9pA1puptpIaETOXk6ZE5iljIaZOjD7e/Ej JcfVdZZl/Qf4SXJd4zIK4qxPrLOWIBPLLH7c9H3OSPJ6xery2cCmdNg3tXRYag== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=a6aGyHGp; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.72 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=a6aGyHGp; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 708081CFBB X-Spam-Score: -3.72 X-Migadu-Scanner: scn0.migadu.com X-TUID: H1GxbpKGfwGR --=-9E0gexDG0diFJsOE/1ZI Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sat, 2021-03-27 at 14:56 +0100, zimoun wrote: > Oh, I am a big boy and I can think whatever I want! :-) >=20 > Kidding aside. ... >=20 > First, what does it mean =C2=ABrisk=C2=BB? How do you evaluate it? Is i= t a > relative evaluation or an absolute one? Most if not all users do not want their machines to be compromised or any side-effects of that. > Second, I am not arguing that security is not important. I am saying > that security is important, as important as everything else that is > also > important. What does it mean =C2=ABimportant=C2=BB? How do you evaluate > it? Is it a > relative evaluation or an absolute one? Having security-updates branch or any other mechanism to ship security updates promptly does not mean that the rest is not important. > Third, I am aligned with Leo=E2=80=99s words [1]. And probably with your= s > too. :-) To me, a better security is not implied by special > treatments for security fixes but instead a better treatment for the > updates in general. Security updates *need* special treatment. We already specially treat them with grafts because it's an absolute necessity. We already have private disclosure mailing lists in GNU Guix because security updates need special treatment. >=20 > You are proposing a new branch and Chris and I are saying that this > branch already exists and is staging. The real question is to know > how > staging currently behaves: how many time between 2 merges? how many > time to rebuild? how many packages are rebuilt between 2 > merges? etc. > Is it enough? If not, what could be done to improve? etc. The question whether this is solved by a branch or by making pushing to master directly big rebuilds more viable, that I do not know, but you cannot put forward the arguments you've made, they do not work. L=C3=A9o --=-9E0gexDG0diFJsOE/1ZI Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBfPboACgkQRaix6GvN EKag6BAAs4tZ/T1AOHegyz/zkq7K+4yIKMzgHOyAlsir2dLejs2ItT7Plw+eviW5 UwyumZ5qBwZmnFUg/5JNUvD+kdsf8SnhTpMlZhvkNV2Hc3EnmysDQmlzkTue7XB6 f/15JY8kAxBMsVMVUIc2/R9R2Ux48m5RAD6HvG49y6BsUjVx4X5/CKJY3JgXy42H qvkjgNdOrymM57bzh+s816pDfF5waBnA/0nhO9aCof9dmwtzBYzmErIAINYQkzrS Ry0DzftqyyVTATUTqf4dxCTYevB5JWUtO5nlDfuYEVqbOpnDn2Lt/Yd5FCP/QUVj uZ7VgUlz2l/wdNR82qALhneV2fFQYAfMrK8KJt5tQIYSDFp1yKIW8BmBE3/Hkvl8 PQBhJwEM8wqoo2UniM3XtvdfY2W6vYB3aRPOERqK202WHU3LG3dDvLDnuXwUkAp0 GiKbE4KUtJ2idxrNq42QnqUQMP69b2qEdXBVnurVetEI8sJQqdsr4/KDX55931kw 7+yOLMMo6x54diBGn3VH9fzcNHwfRqag+YwdXFA+9nHHyVJE5/0FUC1A9EpVkifd fs6OvpKaxyRqgqA8FIS44Pg3Lez8cKyCmAV9RFhuWxju3fWW5N2sDYkyjn5jDuBR NYJLFCJ6BxCQ+dDM0ZxRr8Bbn9xMmEafB4F8d5JCQN728Dbzj4Y= =lJus -----END PGP SIGNATURE----- --=-9E0gexDG0diFJsOE/1ZI--